idnits 2.17.1 draft-xu-intarea-ip-in-udp-10.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (December 21, 2020) is 1215 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Missing Reference: 'RFC5565' is mentioned on line 118, but not defined == Unused Reference: 'RFC4301' is defined on line 381, but no explicit reference was found in the text ** Obsolete normative reference: RFC 1981 (Obsoleted by RFC 8201) ** Obsolete normative reference: RFC 2460 (Obsoleted by RFC 8200) ** Obsolete normative reference: RFC 5405 (Obsoleted by RFC 8085) ** Obsolete normative reference: RFC 6347 (Obsoleted by RFC 9147) -- Obsolete informational reference (is this intentional?): RFC 6830 (Obsoleted by RFC 9300, RFC 9301) Summary: 4 errors (**), 0 flaws (~~), 3 warnings (==), 2 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 INTAREA Working Group X. Xu 3 Internet-Draft Alibaba Inc 4 Intended status: Standards Track H. Assarpour 5 Expires: June 24, 2021 Broadcom 6 S. Ma 7 Mellanox 8 D. Bernier 9 Canada Bell 10 D. Dukes 11 Cisco 12 S. Hegde 13 Juniper 14 Y. Lee 15 Comcast 16 Y. Fan 17 China Telecom 18 December 21, 2020 20 Encapsulating IP in UDP 21 draft-xu-intarea-ip-in-udp-10 23 Abstract 25 Existing IP-in-IP encapsulation technologies are not adequate for 26 efficient load balancing of IP-in-IP traffic across IP networks. 27 This document specifies additional IP-in-IP encapsulation technology, 28 referred to as IP-in-UDP (User Datagram Protocol), which can 29 facilitate the load balancing of IP-in-IP traffic across IP networks. 31 Requirements Language 33 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 34 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 35 document are to be interpreted as described in RFC 2119 [RFC2119]. 37 Status of This Memo 39 This Internet-Draft is submitted in full conformance with the 40 provisions of BCP 78 and BCP 79. 42 Internet-Drafts are working documents of the Internet Engineering 43 Task Force (IETF). Note that other groups may also distribute 44 working documents as Internet-Drafts. The list of current Internet- 45 Drafts is at https://datatracker.ietf.org/drafts/current/. 47 Internet-Drafts are draft documents valid for a maximum of six months 48 and may be updated, replaced, or obsoleted by other documents at any 49 time. It is inappropriate to use Internet-Drafts as reference 50 material or to cite them other than as "work in progress." 52 This Internet-Draft will expire on June 24, 2021. 54 Copyright Notice 56 Copyright (c) 2020 IETF Trust and the persons identified as the 57 document authors. All rights reserved. 59 This document is subject to BCP 78 and the IETF Trust's Legal 60 Provisions Relating to IETF Documents 61 (https://trustee.ietf.org/license-info) in effect on the date of 62 publication of this document. Please review these documents 63 carefully, as they describe your rights and restrictions with respect 64 to this document. Code Components extracted from this document must 65 include Simplified BSD License text as described in Section 4.e of 66 the Trust Legal Provisions and are provided without warranty as 67 described in the Simplified BSD License. 69 Table of Contents 71 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 72 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 4 73 3. Encapsulation in UDP . . . . . . . . . . . . . . . . . . . . 4 74 4. Processing Procedures . . . . . . . . . . . . . . . . . . . . 5 75 5. Congestion Considerations . . . . . . . . . . . . . . . . . . 6 76 6. Applicability Statements . . . . . . . . . . . . . . . . . . 6 77 7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 7 78 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 7 79 9. Security Considerations . . . . . . . . . . . . . . . . . . . 7 80 10. References . . . . . . . . . . . . . . . . . . . . . . . . . 8 81 10.1. Normative References . . . . . . . . . . . . . . . . . . 8 82 10.2. Informative References . . . . . . . . . . . . . . . . . 9 83 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 10 85 1. Introduction 87 To fully utilize the bandwidth available in IP networks and/or 88 facilitate recovery from a link or node failure, load balancing of 89 traffic over Equal Cost Multi-Path (ECMP) and/or Link Aggregation 90 Group (LAG) across IP networks including Wide Area Networks (WAN) and 91 Data Center Networks (DCN) is widely used. There are increasing 92 applications of the IP-in-IP encapsulation on the WAN and DCN 93 environments, such as Global Accelerator (GA) on public cloud 94 providers' WAN and high-performance DCNs. [RFC5640] describes a 95 method for improving the load balancing efficiency of IP-in-IP 96 traffic over Layer Two Tunneling Protocol - Version 3 (L2TPv3) 98 [RFC3931] and Generic Routing Encapsulation (GRE) [RFC2784] 99 encapsulations. However, this method requires core routers or 100 switches to perform hash calculation on the "load-balancing" field 101 contained in tunnel encapsulation headers (i.e., the Session ID field 102 in L2TPv3 headers or the Key field in GRE headers), which is not 103 widely supported by existing core routers and data center switches. 105 Most existing routers and data center switches are already capable of 106 distributing IP traffic "microflows" [RFC2474] over ECMP paths and/or 107 LAG based on the hash of the five-tuple of User Datagram Protocol 108 (UDP) [RFC0768] and Transmission Control Protocol (TCP) packets 109 (i.e., source IP address, destination IP address, source port, 110 destination port, and protocol). By encapsulating the IP traffic 111 into an UDP tunnel and using the source port of the UDP header as an 112 entropy field, the existing load-balancing capability as mentioned 113 above can be leveraged to provide fine-grained load-balancing of IP- 114 in-IP traffic over IP networks. This is similar to why LISP 115 [RFC6830] , MPLS-in-UDP [RFC7510] and VXLAN [RFC7348] use UDP 116 encapsulation. Therefore, this specification defines an IP-in-UDP 117 encapsulation method which is an alternative encapsulation used in 118 [RFC5565] in addition to L2TPv3 and GRE. 120 IPv6 flow label has been proposed as an entropy field for load 121 balancing in IPv6 network environment [RFC6438]. However, as stated 122 in [RFC6936], the end-to-end use of flow labels for load balancing is 123 a long-term solution and therefore the use of load balancing using 124 the transport header fields would continue until any widespread 125 deployment is finally achieved. As such, IP-in-UDP encapsulation 126 would still have a practical application value in the IPv6 networks 127 during this transition timeframe. Of course, it RECOMMENDED that the 128 IPv6 flow label is filled with an entropy value as well. In this 129 way, core routers or switches could perform load-balancing of IP-in- 130 IP traffic using either the approach as described in [RFC6438] or the 131 UDP five tuple accordingly. 133 Similarly, the IP-in-UDP encapsulation format defined in this 134 document by itself cannot ensure the integrity and privacy of data 135 packets being transported through the IP-in-UDP tunnels and cannot 136 enable the tunnel decapsulators to authenticate the tunnel 137 encapsulator. Therefore, in the case where any of the above security 138 issues is concerned, the IP-in-UDP SHOULD be secured with DTLS 139 [RFC6347]. For more details, please see Section 9 of Security 140 Considerations. 142 2. Terminology 144 3. Encapsulation in UDP 146 IP-in-UDP encapsulation format is shown as follows: 148 0 1 2 3 149 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 150 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 151 | Source Port = Entropy | Dest Port = TBD1 | 152 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 153 | UDP Length | UDP Checksum | 154 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 155 | | 156 ~ IP Packet ~ 157 | | 158 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 159 Figure 1: IP-in-UDP Encapsulation Format 161 Source Port of UDP: 163 This field contains a 16-bit entropy value that is generated by 164 the encapsulator to uniquely identify a flow. What constitutes 165 a flow is locally determined by the encapsulator and therefore 166 is outside the scope of this document. What algorithm is 167 actually used by the encapsulator to generate an entropy value 168 is outside the scope of this document. 170 To ensure that the source port number is always in the range 171 49152 to 65535 (Note that those ports less than 49152 are 172 reserved by IANA to identify specific applications/protocols) 173 which may be required in some cases, instead of calculating a 174 16-bit entropy, the encapsulator SHOULD calculate a 14-bit 175 entropy and use those 14 bits as the least significant bits of 176 the source port field while the most significant two bits 177 SHOULD be set to binary 11. That still conveys 14 bits of 178 entropy information which would be enough as well in practice. 180 Destination Port of UDP: 182 This field is set to a value (TBD1) allocated by IANA to 183 indicate that the UDP tunnel payload is an IP packet. As for 184 whether the encapsulated IP packet is IPv4 or IPv6, it would be 185 determined according to the Version field in the IP header of 186 the encapsulated IP packet. 188 UDP Length: 190 The usage of this field is in accordance with the current UDP 191 specification [RFC0768]. 193 UDP Checksum: 195 For IPv4 UDP encapsulation, this field is RECOMMENDED to be set 196 to zero for performance or implementation reasons because the 197 IPv4 header includes a checksum and use of the UDP checksum is 198 optional with IPv4. For IPv6 UDP encapsulation, the IPv6 199 header does not include a checksum, so this field MUST contain 200 a UDP checksum that MUST be used as specified in [RFC0768] and 201 [RFC2460] unless one of the exceptions that allows use of UDP 202 zero-checksum mode (as specified in [RFC6935]) applies. 204 IP Packet: 206 This field contains one IP packet. 208 4. Processing Procedures 210 This IP-in-UDP encapsulation causes the original packets to be 211 forwarded across a transit IP network via "UDP tunnels". While 212 performing IP-in-UDP encapsulation, tunnel encapsulators would 213 generate an entropy value and encode it in the Source Port field of 214 the UDP header. The Destination Port field is set to a value (TBD1) 215 allocated by IANA to indicate that the UDP tunnel payload is an IP 216 packet. Transit routers or switches, upon receiving these UDP 217 encapsulated packets, could balance these packets based on the hash 218 of the five-tuple of UDP packets. Tunnel decapsulators receiving 219 these UDP encapsulated packets MUST decapsulate these packets by 220 removing the UDP header and then forward them accordingly (assuming 221 that the Destination Port was set to the reserved value pertaining to 222 IP). 224 Similar to all other IP-in-IP tunneling technologies, IP-in-UDP 225 encapsulation introduces overheads and reduces the effective Maximum 226 Transmission Unit (MTU) size. IP-in-UDP encapsulation may also 227 impact Time-to-Live (TTL) or Hop Count (HC) and Differentiated 228 Services (DSCP). Hence, IP-in-UDP MUST follow the corresponding 229 procedures defined in [RFC2003]. 231 Tunnel encapsulators MUST NOT fragment UDP encapsulated IP packets, 232 and when the outer IP header is IPv4, tunnel encapsulators MUST set 233 the DF bit in the outer IPv4 header. It is strongly RECOMMENDED that 234 the transit IP network be configured to carry an MTU at least large 235 enough to accommodate the added encapsulation headers. Meanwhile, it 236 is strongly RECOMMENDED that Path MTU Discovery [RFC1191] [RFC1981] 237 or Packetization Layer Path MTU Discovery (PLPMTUD) [RFC4821] is used 238 to prevent or minimize fragmentation. Once an tunnel encapsulator 239 needs to perform fragmentation on an original IP packet before 240 encapsulating, it MUST use the same source UDP port for all 241 fragmented packets so as to ensures these fragmented packets are 242 always forwarded on the same path. Note that fragmentation on the 243 original packets is possible only when the packets are IPv4 packets 244 and the DF bit is not set. 246 5. Congestion Considerations 248 Section 3.1.3 of [RFC5405] discussed the congestion implications of 249 UDP tunnels. As discussed in [RFC5405], because other flows can 250 share the path with one or more UDP tunnels, congestion control 251 [RFC2914] needs to be considered. As specified in [RFC5405]: 253 "IP-based traffic is generally assumed to be congestion- controlled, 254 i.e., it is assumed that the transport protocols generating IP-based 255 traffic at the sender already employ mechanisms that are sufficient 256 to address congestion on the path. Consequently, a tunnel carrying 257 IP-based traffic should already interact appropriately with other 258 traffic sharing the path, and specific congestion control mechanisms 259 for the tunnel are not necessary". 261 Since IP-in-UDP is only used to carry IP traffic which is generally 262 assumed to be congestion controlled by the transport layer, it 263 generally does not need additional congestion control mechanisms. 264 Furthermore, as it is explicitly stated in the Application Statements 265 (Section 6), this IP-in-UDP encapsulation method MUST only be used 266 within networks that are well-managed, therefore, congestion control 267 mechanism is not needed. 269 6. Applicability Statements 271 This IP-in-UDP encapsulation technology MUST only be used within 272 networks which are well-managed by a service provider and MUST NOT be 273 used within the Internet. In the well-managed network, traffic is 274 well-managed to avoid congestion and fragmentation are not needed. 276 7. Acknowledgements 278 Thanks to Vivek Kumar, Carlos Pignataro and Mark Townsley for their 279 valuable comments on the initial idea of this document. Thanks to 280 Andrew G. Malis, Joe Touch and Brian E Carpenter for their valuable 281 comments on this document. 283 8. IANA Considerations 285 One UDP destination port number indicating IP needs to be allocated 286 by IANA: 288 Service Name: IP-in-UDP Transport Protocol(s):UDP 289 Assignee: IESG 290 Contact: IETF Chair . 291 Description: Encapsulate IP packets in UDP tunnels. 292 Reference: This document. 293 Port Number: TBD1 -- To be assigned by IANA. 295 One UDP destination port number indicating IP with DTLS needs to be 296 allocated by IANA: 298 Service Name: IP-in-UDP-with-DTLS 299 Transport Protocol(s): UDP 300 Assignee: IESG 301 Contact: IETF Chair . 302 Description: Encapsulate IP packets in UDP tunnels with DTLS. 303 Reference: This document. 304 Port Number: TBD2 -- To be assigned by IANA. 306 9. Security Considerations 308 The security problems faced with the IP-in-UDP tunnel are exactly the 309 same as those faced with IP-in-IP [RFC2003] and IP-in-GRE tunnels 310 [RFC2784]. In other words, the IP-in-UDP tunnel as defined in this 311 document by itself cannot ensure the integrity and privacy of data 312 packets being transported through the IP-in-UDP tunnel and cannot 313 enable the tunnel decapsulator to authenticate the tunnel 314 encapsulator. In the case where any of the above security issues is 315 concerned, the IP-in-UDP tunnel SHOULD be secured with IPsec or DTLS. 316 IPsec was designed as a network security mechanism and therefore it 317 resides at the network layer. As such, if the tunnel is secured with 318 IPsec, the UDP header would not be visible to intermediate routers or 319 switches anymore in either IPsec tunnel or transport mode. As a 320 result, the meaning of adopting the IP-in-UDP tunnel as an 321 alternative to the IP- in-GRE or IP-in-IP tunnel is lost. By 322 comparison, DTLS is better suited for application security and can 323 better preserve network and transport layer protocol information. 325 Specifically, if DTLS is used, the destination port of the UDP header 326 will be filled with a value (TBD2) indicating IP with DTLS and the 327 source port can still be used as an entropy field for load-sharing 328 purposes. 330 If the tunnel is not secured with IPsec or DTLS, some other method 331 should be used to ensure that packets are decapsulated and forwarded 332 by the tunnel tail only if those packets were encapsulated by the 333 tunnel head. If the tunnel lies entirely within a single 334 administrative domain, address filtering at the boundaries can be 335 used to ensure that no packet with the IP source address of a tunnel 336 endpoint or with the IP destination address of a tunnel endpoint can 337 enter the domain from outside. However, when the tunnel head and the 338 tunnel tail are not in the same administrative domain, this may 339 become difficult, and filtering based on the destination address can 340 even become impossible if the packets must traverse the public 341 Internet. Sometimes only source address filtering (but not 342 destination address filtering) is done at the boundaries of an 343 administrative domain. If this is the case, the filtering does not 344 provide effective protection at all unless the decapsulator of an IP- 345 in-UDP validates the IP source address of the packet. 347 10. References 349 10.1. Normative References 351 [RFC0768] Postel, J., "User Datagram Protocol", STD 6, RFC 768, 352 DOI 10.17487/RFC0768, August 1980, 353 . 355 [RFC1191] Mogul, J. and S. Deering, "Path MTU discovery", RFC 1191, 356 DOI 10.17487/RFC1191, November 1990, 357 . 359 [RFC1981] McCann, J., Deering, S., and J. Mogul, "Path MTU Discovery 360 for IP version 6", RFC 1981, DOI 10.17487/RFC1981, August 361 1996, . 363 [RFC2003] Perkins, C., "IP Encapsulation within IP", RFC 2003, 364 DOI 10.17487/RFC2003, October 1996, 365 . 367 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 368 Requirement Levels", BCP 14, RFC 2119, 369 DOI 10.17487/RFC2119, March 1997, 370 . 372 [RFC2460] Deering, S. and R. Hinden, "Internet Protocol, Version 6 373 (IPv6) Specification", RFC 2460, DOI 10.17487/RFC2460, 374 December 1998, . 376 [RFC2784] Farinacci, D., Li, T., Hanks, S., Meyer, D., and P. 377 Traina, "Generic Routing Encapsulation (GRE)", RFC 2784, 378 DOI 10.17487/RFC2784, March 2000, 379 . 381 [RFC4301] Kent, S. and K. Seo, "Security Architecture for the 382 Internet Protocol", RFC 4301, DOI 10.17487/RFC4301, 383 December 2005, . 385 [RFC4821] Mathis, M. and J. Heffner, "Packetization Layer Path MTU 386 Discovery", RFC 4821, DOI 10.17487/RFC4821, March 2007, 387 . 389 [RFC5405] Eggert, L. and G. Fairhurst, "Unicast UDP Usage Guidelines 390 for Application Designers", RFC 5405, 391 DOI 10.17487/RFC5405, November 2008, 392 . 394 [RFC6347] Rescorla, E. and N. Modadugu, "Datagram Transport Layer 395 Security Version 1.2", RFC 6347, DOI 10.17487/RFC6347, 396 January 2012, . 398 [RFC6935] Eubanks, M., Chimento, P., and M. Westerlund, "IPv6 and 399 UDP Checksums for Tunneled Packets", RFC 6935, 400 DOI 10.17487/RFC6935, April 2013, 401 . 403 [RFC6936] Fairhurst, G. and M. Westerlund, "Applicability Statement 404 for the Use of IPv6 UDP Datagrams with Zero Checksums", 405 RFC 6936, DOI 10.17487/RFC6936, April 2013, 406 . 408 10.2. Informative References 410 [RFC2474] Nichols, K., Blake, S., Baker, F., and D. Black, 411 "Definition of the Differentiated Services Field (DS 412 Field) in the IPv4 and IPv6 Headers", RFC 2474, 413 DOI 10.17487/RFC2474, December 1998, 414 . 416 [RFC2914] Floyd, S., "Congestion Control Principles", BCP 41, 417 RFC 2914, DOI 10.17487/RFC2914, September 2000, 418 . 420 [RFC3931] Lau, J., Ed., Townsley, M., Ed., and I. Goyret, Ed., 421 "Layer Two Tunneling Protocol - Version 3 (L2TPv3)", 422 RFC 3931, DOI 10.17487/RFC3931, March 2005, 423 . 425 [RFC5640] Filsfils, C., Mohapatra, P., and C. Pignataro, "Load- 426 Balancing for Mesh Softwires", RFC 5640, 427 DOI 10.17487/RFC5640, August 2009, 428 . 430 [RFC6438] Carpenter, B. and S. Amante, "Using the IPv6 Flow Label 431 for Equal Cost Multipath Routing and Link Aggregation in 432 Tunnels", RFC 6438, DOI 10.17487/RFC6438, November 2011, 433 . 435 [RFC6830] Farinacci, D., Fuller, V., Meyer, D., and D. Lewis, "The 436 Locator/ID Separation Protocol (LISP)", RFC 6830, 437 DOI 10.17487/RFC6830, January 2013, 438 . 440 [RFC7348] Mahalingam, M., Dutt, D., Duda, K., Agarwal, P., Kreeger, 441 L., Sridhar, T., Bursell, M., and C. Wright, "Virtual 442 eXtensible Local Area Network (VXLAN): A Framework for 443 Overlaying Virtualized Layer 2 Networks over Layer 3 444 Networks", RFC 7348, DOI 10.17487/RFC7348, August 2014, 445 . 447 [RFC7510] Xu, X., Sheth, N., Yong, L., Callon, R., and D. Black, 448 "Encapsulating MPLS in UDP", RFC 7510, 449 DOI 10.17487/RFC7510, April 2015, 450 . 452 Authors' Addresses 454 Xiaohu Xu 455 Alibaba Inc 457 Email: 13910161692@qq.com 459 Hamid Assarpour 460 Broadcom 462 Email: hamid.assarpour@broadcom.com 463 Shaowen Ma 464 Mellanox 466 Email: mashaowen@gmail.com 468 Daniel Bernier 469 Canada Bell 471 Email: daniel.bernier@bell.ca 473 Darren Dukes 474 Cisco 476 Email: ddukes@cisco.com 478 Shraddha Hegde 479 Juniper 481 Email: shraddha@juniper.net 483 Yiu Lee 484 Comcast 486 Email: Yiu_Lee@Cable.Comcast.com 488 Yongbing Fan 489 China Telecom 491 Email: fanyb@gsta.com